On Sun, 9 Feb 2025 at 13:34, Elliotte Rusty Harold <elh...@ibiblio.org> wrote:
>
> On Sun, Feb 9, 2025 at 8:00 AM Slawomir Jaranowski
> <s.jaranow...@gmail.com> wrote:
>
> > We have a simple statistic
> > https://ci-maven.apache.org/job/Maven/job/maven-box/job/maven-dist-tool/job/master/site/dist-tool-committers-stats.html
> >
> > To remove somebody we need a procedure for it.
>
> Great. I'm glad we already have the information we need. I see 72
> committers and maybe 20% of those have been active in the last few
> years. I'm not sure what the technical procedure for removing
> committer privileges is. I don't have admin access on the github or
> svn repos. However as policy I propose:

As I know we don't manage access rights separately for each service.
We can manage assignments to LDAP groups https://whimsy.apache.org/public/
by whimsy service.

>
> 1. Once a year, shortly after January 1, an admin manually removes
> committership from anyone who hasn't committed in the previous 4
> years. For instance, right now we would revoke commitership from
> anyone whose last commit was in 2020 or earlier. The size of the task
> doesn't feel worth automating.
>
> 2. If a former committer notices they no longer have permissions and
> wants them back to do some work, they just have to ask here on dev@
> and they will be regranted. They don't have to prove themselves worthy
> of committer privileges again. They've already done that.
>
> 3. Other privileges like issue filing and PMC voting remain in effect
> as these aren't especially risky.
>
> There might be other permissions like the ability to push to the
> website or control the mailing lists we should also lock down. I don't
> know exactly how that works, but if anyone does please speak up.
>
> To be clear, we're not banning anyone. We're simply being cautious
> about active permissions given the risk of compromised old accounts.
> With 72 committers some of whom haven't been heard from in over ten
> years, it's likely some of these accounts are effectively defunct.
> It's even possible some developers are deceased.
>

Generally I agree - but we should start separate thread for discussion,
and finally finish by VOTE.

> --
> Elliotte Rusty Harold
> elh...@ibiblio.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> For additional commands, e-mail: dev-h...@maven.apache.org
>


-- 
Sławomir Jaranowski

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org

Reply via email to